Analysis
-
max time kernel
4s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
Resource
win7-20220414-en
General
-
Target
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe
-
Size
621KB
-
MD5
d41a2901bf1d0f3ba6b9498d6542c437
-
SHA1
cbbb9798a8bec4aa787cb4de24e07bcbe4a16983
-
SHA256
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac
-
SHA512
231d6a471c8d41d7fbcaf4278af36bfb8495a57327210ef71d9be98a80ba7ec312dc92c1a75448df63a5362917bf35814e4e32c10ef2f3b33536b408d6f7e504
Malware Config
Extracted
limerat
1PPgmaXrzTj4ZXMTWNLh6VcmKRgU817rdK
-
aes_key
nyancat
-
antivm
false
-
c2_url
https://pastebin.com/raw/FvCAV8it
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
avdisable.exepid process 952 avdisable.exe -
Loads dropped DLL 3 IoCs
Processes:
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exepid process 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exeavdisable.execmd.exedescription pid process target process PID 532 wrote to memory of 952 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe avdisable.exe PID 532 wrote to memory of 952 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe avdisable.exe PID 532 wrote to memory of 952 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe avdisable.exe PID 532 wrote to memory of 952 532 8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe avdisable.exe PID 952 wrote to memory of 1408 952 avdisable.exe cmd.exe PID 952 wrote to memory of 1408 952 avdisable.exe cmd.exe PID 952 wrote to memory of 1408 952 avdisable.exe cmd.exe PID 952 wrote to memory of 1408 952 avdisable.exe cmd.exe PID 1408 wrote to memory of 1792 1408 cmd.exe reg.exe PID 1408 wrote to memory of 1792 1408 cmd.exe reg.exe PID 1408 wrote to memory of 1792 1408 cmd.exe reg.exe PID 1408 wrote to memory of 1272 1408 cmd.exe reg.exe PID 1408 wrote to memory of 1272 1408 cmd.exe reg.exe PID 1408 wrote to memory of 1272 1408 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"C:\Users\Admin\AppData\Local\Temp\8a86db3b2d144844a959cf43dbe8ff4dc80b9ce0513e5bd7dd9fdf9325a4f2ac.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "2⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:1616
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PayPal-Restore.exePayPal-Restore.exe -dC:\Users\Admin\AppData\Local\Temp1⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\PayPal-Restore.exe"2⤵PID:904
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:1000
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:1960
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f1⤵PID:432
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f1⤵PID:1596
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f1⤵PID:1508
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f1⤵PID:1468
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f1⤵PID:1812
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f1⤵PID:1772
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable1⤵PID:1992
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable1⤵PID:1964
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable1⤵PID:452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable1⤵PID:688
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable1⤵PID:1684
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵PID:944
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f1⤵PID:1732
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f1⤵PID:1736
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f1⤵PID:1156
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f1⤵PID:1196
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f1⤵PID:1740
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f1⤵PID:1628
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f1⤵PID:676
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f1⤵PID:564
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f1⤵PID:2044
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f1⤵PID:1008
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f1⤵PID:2036
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f1⤵PID:2020
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f1⤵PID:1272
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f1⤵PID:1792
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\234A.tmp\234B.tmp\234C.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58760b15c6d12ecc70594fc8db876c68c
SHA1b1d47a27bf45db9955f07c773a5a334e3b528a97
SHA2569a3d9f84626d1443b0e1fc1afe22cc4045c20714b98838e94542991039cf8463
SHA5120463204ebabf6465ba3be44b31dc235ba240f1899b41336655a3f361932b8225326d8ab7c53130d4ded9412193d5967f805221212b964d6a54492d0f2c331dee
-
Filesize
362KB
MD59f150fdb9779485a9b4af5875a48aaf7
SHA147e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df
-
Filesize
362KB
MD59f150fdb9779485a9b4af5875a48aaf7
SHA147e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df
-
Filesize
56KB
MD5b644afe28f2368af7da90246d13bce4a
SHA1cd24a837643a47a240c7402592f47ba2e4a978b0
SHA256e522c2e61f111716eb1b89ab6daf113c9537464f3dafc89a111e60bf6f1d84e5
SHA5121dd0e33a4bceb3811565fc503e5d12c9bfa0f6687b94ad3232af1cd4bd092ea4759b0d82b3728f1ef203cd902ec1d5ac34fda25b167e001270524280f6a96d90
-
Filesize
27B
MD576b34b8a915e15e32871820b24a60556
SHA1aabf1487a5dc1880d5c8a6979666b215dc09a837
SHA256ff8a34a62c2f4b7b5c058f67cfbbe5df9e74541f909a3b7f8c9fc8155b72d7a1
SHA5122c0d801537d7576ab03b1eda1b0c60eb41525b4bd57b1a77a383b83dd49d20327b16162c7721c0e7b635734f6d96ffa4290dafc6350917ffa7114780d1716ffb
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
362KB
MD59f150fdb9779485a9b4af5875a48aaf7
SHA147e2d38e7c69a8e7f0e2993f3f8cb131483aa97f
SHA256981c27f97402dab365ed009cff2ab23946424a8f0b1d31f080c1e8675434434a
SHA512b4e94b127f75afb8fcc3d9555ecc608141b27e81755d3b9ffe0ef8632a7594806564f3e5a6dbbc2869b77c11d4570afc7b167440bcdf6f49934f2b4dbb4357df
-
Filesize
63KB
MD531120f8f17f419583be650465cde8f50
SHA1fe3ea43bb6b214d4e8e32f879811f6a7016d57e5
SHA256a7b1756b3578853214a128219c0c005959b39c7105e5eb09b4484caeb877cd61
SHA5126b80e28890aaeb963abe721eb020ab5ea336974a6be563cb9ada5648a4db074895a42f27591429e99a57e402a587699938724a20ef60c232e6bb8475f4bfee80
-
Filesize
43KB
MD5fe4788726b2255e2aa33654f90e7f731
SHA1da0181a736a57f57022d241e58fc6f4c25cec755
SHA2569b0889135e08318e0f310913bac7ef86ed1af884ec460c11a66c7190195961a9
SHA512550c50506d5adcfdf22d9c4252e8ad35ccd6eadb02a18185dd2fb7edab57a5e49c99d87ce5c7b9127d94131a71d513481cf0badd36630ed2c3e3ae6743429f33
-
Filesize
81KB
MD52b9eee13a0e979e7cce3cbd274386be9
SHA1f7ac238066df9d83add932190055185a59d015d2
SHA2562b552c6f59b52970e7c86ebe757293d57af3a1f5260b52744773edb5772e0576
SHA512038caa0f92a17f8e9b3c56cc8afcde172703f28e0f0eb76a81cacc89290055f0343b1d6d1cb777e4673550bd4f5cc8ca9a8e4bc8bd32c9bb10d47bb2767cc0ed
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f
-
Filesize
82KB
MD554a1574cacf95b6c5c9c597d8d76de45
SHA14879d75f50d747a400c03ab9700e816ec0607fe6
SHA25667f6ae56cdde6082b3cf05ba9a1a730dcf2e63eeb291507f1420b818d6e05eb1
SHA512869b1ae4b939c4a2ea6528c9639de811bbd6048c686c4a2a0ae63443510b7575fa816890a13e83504afb5ce0322de228c1c6db3ab9c437a35a6fb8eabd5aeb2f